[gnome-continuous-yocto/gnomeostree-3.28-rocko: 7580/8267] cve-check.bbclass: detect patched CVE's also from patch file names

From: Emmanuele Bassi <ebassi src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-continuous-yocto/gnomeostree-3.28-rocko: 7580/8267] cve-check.bbclass: detect patched CVE's also from patch file names
Date: Sun, 17 Dec 2017 06:26:52 +0000 (UTC)

commit beb089b23627f084695f17802ffc5af192bbdbee
Author: Mikko Rapeli <mikko rapeli bmw de>
Date:   Mon Sep 4 09:22:14 2017 +0300

    cve-check.bbclass: detect patched CVE's also from patch file names
    
    While poky master branch has been fixed so that all CVE patch files have
    the:
    
    CVE: CVE-2017-1234556
    
    strings in the patch comments, many older versions of poky and other meta
    layers are not, but the CVE patches quite often have the CVE id in the
    patch file name.
    
    If the CVE: string also found, there are no duplicates in the report.
    
    (From OE-Core rev: 5ee5b0c66627c9e974c838b86e2e659c2f601f2a)
    
    Signed-off-by: Mikko Rapeli <mikko rapeli bmw de>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 meta/classes/cve-check.bbclass |   16 +++++++++++++++-
 1 files changed, 15 insertions(+), 1 deletions(-)
---
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index f44bbed..bc2f03f 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -118,10 +118,24 @@ def get_patches_cves(d):
 
     pn = d.getVar("PN")
     cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
+
+    # Matches last CVE-1234-211432 in the file name, also if written
+    # with small letters. Not supporting multiple CVE id's in a single
+    # file name.
+    cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
+
     patched_cves = set()
     bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
     for url in src_patches(d):
         patch_file = bb.fetch.decodeurl(url)[2]
+
+        # Check patch file name for CVE ID
+        fname_match = cve_file_name_match.search(patch_file)
+        if fname_match:
+            cve = fname_match.group(1).upper()
+            patched_cves.add(cve)
+            bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
+
         with open(patch_file, "r", encoding="utf-8") as f:
             try:
                 patch_text = f.read()
@@ -140,7 +154,7 @@ def get_patches_cves(d):
             for cve in cves.split():
                 bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
                 patched_cves.add(cve)
-        else:
+        elif not fname_match:
             bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
 
     return patched_cves

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]